Google Calendar Privacy Concerns Raised

A misconfiguration in a Google Calendar function that allows Google to index calendars raises serious privacy concerns because it could lead to inadvertent, broad public exposure of calendars that contain sensitive information, including corporate details, a researcher reports.

Avinash Jain, a security researcher at Grofers, an e-commerce company in India, recently pinpointed the privacy concern involving calendar sharing - the latest in a series of privacy issues he's called attention to at Google, Yahoo and others.

Google Calendar users have several options for sharing their calendar so others can view upcoming events. But Jain discovered that any calendar designated as "public" for sharing gets indexed by Google and then can be viewed by anyone making a Google search query, without the calendar link being shared with them.

Google did not respond to Information Security Media Group's request for comment. But in a reply to Forbes, it stated: "Calendar sharing is private by default for both G Suite and consumer Calendar users. G Suite admins can control the level of detail with which enterprise users can share their calendar externally. A G Suite user cannot exceed the level of event details allowed by their admin for external sharing. Calendar sharing is also private by default for all consumer accounts. A consumer user can only share by changing this setting, in which they are notified of how their calendar will become visible to the public."

Take Precautions

U.K.-based Jake Moore, cybersecurity specialist for ESET, an anti-virus company, tells Information Security Media Group that companies using Google calendars must generate user awareness of the risks involved in making them public.

"If companies choose to use Google for their business calendar events, such firms must consider providing adequate training to make sure their employees understand the risks around keeping their company data secure," he says.

Organizations should use the functions of a G Suite admin role, such as setting up an alert when a user makes a calendar public, he adds.

The Risks Involved

Twelve years ago, Google added its "make it public" feature to its web-based calendar service as a way for users to discover events through search engines, Jain notes. "I only recently discovered that sensitive corporate information can inadvertently be made public using Google Calendar," he says.

The warning box pops up when users agree to share their calendars publicly.

Jain claims that there are over 8,000 publicly accessible Google calendars searchable using the Google engine that allow anyone to not only access sensitive details saved to them but also add new events with maliciously crafted information or links.

Google doesn't notify the creator of a public calendar when someone accesses it or adds an event to it, Jain says. Plus, the Google Calendar interface lacks an indicator that a calendar has been designated public so users know not to post sensitive information on it, he adds.

Some security experts are calling on Google to add these and other extra security functions.

Jain points out the recent case involving Shopify, a Canadian e-commerce company. Employees had their Google Calendars set to public, which enabled a researcher to access confidential and sensitive company information.

"By using a tool to find all "@shopify.com" emails, and then running this list through a Google Calendar feature that enables the adding of other people's calendars, the researcher found the public employee ones," Jain says. Information that was accessible included onsite interview data that revealed new hire information as well as internal company presentations and Zoom meeting links that put internal information at risk, Jain says.

Risks Overlooked

Anthony Lim, an independent cybersecurity consultant based in Singapore, say calendar users often don't pay attention to the details.

"Typically, most of us do not bother about calendars since it is something we take for granted," he says. "Google can't be entirely faulted because they do give out a warning to users. However, as users, most of us do not understand the complete implications of the warning. So we tend to grant permission [for public access]."

As a result, users of various services, including Google Calendar, need simpler tools to make clear security choices, says Singapore-based Jerry Ray, COO at SecureAge Technology.

About the Author

Suparna Goswami is Associate Editor at ISMG Asia and has more than 10 years of experience in the field of journalism. She has covered a variety of beats ranging from global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine, and leading Indian newspapers like DNA and Times of India.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.in, you agree to our use of cookies.